A New Approach to Cyber Defense

Recent news stories have highlighted the extent to which American companies have been subjected to cyber attacks. (The week-long series on cyber security by FOX Business is perhaps the most notable example.) It is increasingly clear that cyber attacks imperil our national security and economic future.

Yet while it is obvious that new defensive measures are needed, the remedies policy makers instinctively reach for are nearly all inappropriate. The main reason is that practically everything involved with cyber attacks changes so quickly: the techniques employed by cyber attackers, the information systems that need to be protected, the individual attack tools, the counter-measures needed by defenders.

Some policy makers believe the government should impose mandatory cyber security standards. Yet by the time such standards have been formulated and are being enacted, they will not only be obsolete, but probably an active impediment to the security measures that are most needed.
Other policy makers want software and electronics to be certified as “vulnerability-free” before it is used in critical contexts. Yet by the time any information technology has gone through a certification process, it is guaranteed to be out of date from a security standpoint.

Still other policy makers want the Federal government to scan all the traffic coming into critical systems to make sure it doesn’t contain malicious programs. Yet malicious programs are now changing and mutating at such a rate that no one knows how to recognize them reliably.

Nearly every type of government response that has been used to deal with past dangers is rendered practically useless by the sheer rate of change in cyber security.

It might seem this makes the situation hopeless. Yet this extraordinary rate of change, which threatens to swap any conventional policy response, conceals a great opportunity.

What is it that America and our close allies do better than anyone else? We innovate. Coming up with new technology is one of the things we do best. Almost all modern technology has come out of America and a handful of other Western countries. Silicon Valley and similar high-tech hubs around the country are an almost uniquely American phenomenon. The most innovative organization the world has ever seen is the American “start-up” company.

So why respond to the dangers created by technological innovation with mandatory standards, certification procedures, and other policies that try to hold back change? Instead, America should respond to the rapidly evolving dangers of cyber-attacks by doing what we do best. We should accelerate innovation in cyber security.

Many people point to China as one of the greatest cyber threats. But does anyone believe that America and Western countries have anything to fear from China if the game is about who can maintain the highest rate of technological innovation? If we are in danger of losing a cyber conflict, shouldn’t we make sure the game is about something that we are extremely good at?

The extraordinary rate of change in information technology and cyber security could be made into as big a problem for attackers as it has previously been for defenders. Cyber attackers need time to find ways to circumvent new security systems. They need time to explore target systems and to find vulnerabilities in them. They need time to develop and build attack tools. They need time to lay the groundwork in target systems for future attacks. Policies that accelerate change in cyber defenses could help tilt the balance back toward defenders.

If we start thinking about ways to accelerate innovation in cyber security, rather than hold it back, a host of new possibilities present themselves. We should begin by consciously promoting the accelerated invention of new security technologies. Government sponsored research programs should aim, not at permanent solutions, but at technologies that can be rapidly renovated or replaced. Instead of trying to pay outright for innovations, the government should leverage its expenditures by using them to reduce the risks to for-profit private investors. That way the bulk of the investment money needed for rapid innovation would be supplied by the private sector. Investment could be switched from less promising lines of research to more promising ones as quickly as their prospects could be assessed. Supplementary government funding could be offered to research efforts that would be made public, but otherwise owned by the corporations managing them. Security technologies that are developed entirely in national laboratories and government-funded university programs should be “spun out” and sold to investors, so they can turn the innovations into viable commercial products as quickly as possible.

This national program to promote the accelerated invention of new security technologies needs to be accompanied by a program to accelerate the rate at which products based on these technologies are adopted. We need to establish better methods of collecting and disseminating information on cyber attacks, so that companies are focused on today’s threats, not yesterday’s. We need to foster better sources of information on the security technologies themselves, so that individual companies are not burdened with the entire costs of researching and evaluating them before making a purchase. We should require publicly traded companies to have a Chief Information Security Officer (CISO) who is responsible for making specific cyber security decisions for his or her company. We should make it advantageous from a tax standpoint to bring cyber security measures up to date.

Government organizations are usually among the slowest institutions to adopt new security technologies. We should think about ways to make them among the fastest. Instead of having the government delay any purchases of information technology until they have been certified, we should be thinking of ways to speed up government procurement processes, so that the best new security technologies are implemented faster. Instead of more elaborate credentialing and review processes, we should be finding nimbler ways to credential people and companies, while they’re still hot innovators, not government-mandated bureaucracies.

Instead of imposing some fixed system of cyber security on corporations and government agencies, we should be encouraging them to renew their security measures at such a rate that last season’s cyber attack tools will already be out-of-date. People are used to assuming that a slow, “cautious” approach to change is the safest. But in the rapidly changing world of cyber attacks, a slow approach is often the most dangerous. It is time to shake off the policy assumptions left over from a slower era. It is time to reshape the cyber conflict into one we can win.

Scott Borg is the Director and Chief Economist of the U.S. Cyber Consequences Unit, a non-profit research institute. Elad Yoran is the CEO of Vaultive, a cyber-security company.